September 25, 2008 Public ERCOT Critical Infrastructure Protection Advisory Group (CIP AG) TASOR TF Update Jim Brenton, CISSP CISM Director of Security ERCOT
Public Overview CIP AG Charter Review Provide awareness of recent ERCOT CIP activities and involvement with NERC Standards/Guideline Activities Future Steps: Move CIP AG into ERCOT TAC Committee Governance Structure 2
Public CIP AG Charter: Purpose The purpose of the ERCOT Critical Infrastructure Protection Advisory Group (CIPAG) is to function as a vehicle to facilitate and enable ERCOT entities to secure their critical assets, become compliant and maintain compliance with relevant cyber security, physical security, and CIP (Critical Infrastructure Protection) standards. 3
Public CIP AG Charter: Functions Serve as an advisory panel to the ERCOT Board of Directors, committees and entities on issues related to cyber security, physical security, and CIP. Function as a forum for the discussion of cyber security, physical security and CIP issues within the ERCOT Region. Serve as an interface between the North American Electric Reliability Corporation (NERC) CIP Committee (CIPC) and ERCOT entities; provide a conduit for information flows between the CIPC and ERCOT entities; and communicate CIP issues to the ERCOT marketplace. Develop guidance and recommendations for the NERC CIPC members representing the ERCOT Region. Develop methodologies/criteria for the identification of what are Critical Assets as defined in NERC CIP Standards. Identify and disseminate potential industry-wide ‘Best Practices’ regarding NERC CIP standard compliance. 4
Public CIP AG Charter: Responsibilities Monitor and participate in all proceedings and proposed cyber and/or physical security standard or rulemaking activities of the Federal Energy Regulatory Commission (FERC), NERC, the Public Utility Commission of Texas (PUCT), or other relevant authority with regard to Critical Infrastructure Protection issues. Develop, where feasible, consensus comments and responses to proposed rulemaking activities by FERC and the PUCT, and for NERC and ERCOT Regional standard development proceedings. –Such consensus comments and responses will not preclude individual companies’ development and submission of their comments and responses. Report to the ERCOT Board of Directors on a periodic basis or as otherwise directed by the Board. 5
Public CIP AG Charter: Membership and Governance Because the CIPAG is an advisory group and not to be part of the formal ERCOT TAC/subcommittee structure, membership is open to all ERCOT member entities. Chair and Vice-Chair –The Chair and Vice-Chair shall be selected by the CIPAG to a term not to exceed 12 months, with terms beginning on January 1 st and ending on December 31 st of the same year. The Chair and Vice-Chair may serve succeeding terms. Only an employee of an ERCOT member entity can serve as the Chair or Vice- Chair. –The Chair shall also report to the Board on behalf of the CIPAG. The Vice-Chair shall act as Chair at CIPAG meetings in the absence of the Chair. 6
Public CIP AG Charter: Meetings The CIPAG and its work groups shall meet as often as necessary to perform their duties and functions. All meetings of the CIPAG shall be called by the Chair and all such meeting notices shall be sent in writing to each member, including , and posted to the ERCOT website at least one (1) week prior to the meeting unless an emergency condition should suggest otherwise. The Chair shall preside at all meetings and is responsible for preparation of agendas for such meetings which will be posted to the ERCOT website in advance of the meeting. In the absence of the Chair and the Vice-Chair, the group shall select another CIPAG member to preside at the meeting. The Chair, or the presiding member, shall be guided by input from the membership in the conduct of the meetings. 7
Public CIP AG Charter: Meetings--Continued ERCOT staff shall be responsible for recording minutes or notes of CIPAG meetings and distributing such along with other communications to all members of the CIPAG. Additionally, such information will be posted on the ERCOT website as authorized by the CIPAG and author of document. The meeting manager will be appointed by ERCOT and will be an ERCOT staff member. The Chair may instruct ERCOT staff to exclude portions of CIPAG discussions and communications from wide-spread distribution and posting due to the confidential security nature of the material. CIPAG meetings and CIPAG work group meetings may be attended by any interested party; however, such persons may be excluded at the discretion of the members from portions of CIPAG meetings and CIPAG work group meetings where sensitive information is presented or discussed. 8
Public CIP AG Charter: Voting Because the CIPAG is an advisory group and not part of the formal ERCOT TAC/subcommittee structure, no votes will be taken which bind any ERCOT members. The Chair will endeavor to ensure that every effort shall be made to reach consensus on all recommendation decisions of the CIPAG. When reporting to the ERCOT board or other groups, when consensus can not be reached, the CIPAG report shall include all positions and recommendations. 9
Public CIP AG Charter: Standing and Ad Hoc Work Groups The CIPAG may form standing work groups and temporary or ad hoc task forces on an as- needed basis. The CIPAG will direct these work groups and make assignments as necessary. The CIPAG Chair, with CIPAG approval, will appoint the Chair for each work group to the shorter of a one-year term on a calendar year basis or until the work group is no longer required. The work group Chair is responsible for calling meetings as often as necessary for the work group to perform its duties and functions. Each work group Chair shall be responsible for setting the agenda and presiding over the respective work group meetings. The work group Chair shall also report on the work group activities and present recommendations, including any minority reports, to the CIPAG on behalf of the work group. All work group actions are subject to CIPAG review. 10
Public CIP AG Charter: Amendments These Procedures may be amended upon motion by any member of the CIPAG and approval of that motion by consensus of the CIPAG, provided such amendment may not be in conflict with the ERCOT Bylaws, Board Procedures, Board Resolutions, or ERCOT Protocols. The ERCOT Board may, upon its own motion, amend these Procedures. 11
Public Upcoming CIP AG Topics of Interest NERC Guideline for Critical Asset Identification NERC Guideline for Threat and Incident Reporting to ES-ISAC New NERC Alert Distribution Process NERC Organizational Changes to Better Address CIP and Cyber Security 12
Public DRAFT NERC Guideline for Identifying Critical Assets NERC CIPC and Requirements Working Group have been working on voluntary guidelines to assist Asset Owners in how to identify critical assets as required in NERC Standard CIP The NERC guideline will be structured to be relevant across the industry and all regions Provides details and specificity missing from CIP Will be reviewed and updated once changes made to accommodate FERC Order No. 706 are made to CIP ERCOT members encouraged to participate in upcoming NERC CIPC Guideline Process 13
Public DRAFT NERC Guideline for Identifying Critical Assets—Con’t This guideline is still in Draft (Step 9) pending final approval from CIPC –Spring 2009 CIPC meeting Provides an overview of commonly accepted definition of Risk and it will reduce the assessment methodology to an Impact Evaluation Key Phrase: “… if an asset is destroyed, degraded, compromised, or otherwise rendered unavailable and impacts the reliability or operability of the BES, then the asset is a Critical Asset, regardless of the type of threat that exists or absence of vulnerabilities.” 14
Public 15 DRAFT NERC Guideline for Identifying Critical Assets—Con’t Provides specific evaluation criteria tailored for: –Transmission Substations –Generator Resources –Control Centers (a definition of Control Center is offered) –Special Systems
Public Electricity Sector-Information Sharing & Analysis Ctr Update NERC Board of Trustees (BoT)and the Member Representative Committee (MRC) created a Task Force to recommend future direction for the ES-ISAC Task Force recommended that ES-ISAC remain within the structure and control of NERC Also made recommendations for necessary resources for ES- ISAC to be effective, and formally documented controls and oversight. Related Note: the CIPC ES-ISAC Working Group is beginning to define a NERC project to re-develop the CIP Information System (CIPIS) to better support security incident reporting as required in some NERC Standards 16
Public ESSG Formed to Place Increased Emphasis on Security and CIP NERC BoT has approved the Charter for the Electricity Sector Steering Group (ESSG) ESSG Membership includes NERC CEO and Six CEO Representatives from the MRC, which includes: Funding and resources for the ES-ISAC are identified in the NERC 2009 Budget 17
Public New NERC Alert Distribution Procedures Effective Soon Draft NERC Alert Distribution Procedure presented to CIPC at June Meeting NERC Alerts will have three levels –Alert Level 1: Industry Advisory these alerts are purely informational, intended to alert registered entities to issues or potential problems. A response to NERC is not necessary. –Alert Level 2: Industry Recommendation these alerts recommend specific action be taken by registered entities. –Alert Level 3: Essential Action these alerts require specific action by registered entities and require NERC Board of Trustees approval prior to issuance. 18
Public NERC Alert Distribution (cont.) NERC has asked the Regional Entities to obtain a Contact Name and Address from each Registered Entity within their region The address will go into the NERC Alert Distribution List. The Contact will be the person accountable for receipt of Alerts and assuring their Entity’s appropriate handling of the Alert While providing a single Contact Name, some Entities have created an exploder account where several people with varying expertise will receive the Alerts to help ensure appropriate and timely handling 19
Public NERC Organizational Changes NERC has recently released: –Letter from Rick Sergel to NERC Stakeholders –Press Release regarding NERC Emphasis on Cyber Security and Critical Infrastructure Protection (CIP) –Press Release announcing recent hiring of NERC Chief Security Officer (CSO) Rick Sergel’s Letter acknowledges: –NERC’s scope of authority is jurisdictionally bounded –CIP is ever-changing with technology –Cyber Threats are International –CIP Threats require Confidential Assessment –Response, or a lack of response, to CIP Threats can be harmful 20
Public NERC Organizational Changes (cont.) Rick Sergel’s Letter Recommends: –Establishing role of Chief Security Officer –Establishing CIP as a formal NERC Program –Alternative standards setting process for Cyber Security –Improve depth of Expertise –Closer coordination with Government Press Release regarding Emphasis on Cyber and CIP –Increase NERC Expertise –Alternative standard setting process for Cyber Security –Expedite review of current Cyber Security Standards –Joint Collaboration on Cyber Security Press Release announcing hiring of NERC CSO Michael J Assante, formerly from Idaho National Labs 21
Discussion? Thank you